For example, we vendor gRPC and it still depends on 20.0 in its latest version (https://mvnrepository.com/artifact/io.grpc/grpc-core/1.15.1).
On Mon, Oct 15, 2018 at 2:10 PM Lukasz Cwik <lc...@google.com> wrote: > 20.0 is a common version used by many of our dependencies, using 20.0 is > least likely to cause classpath issues. Note that with Guava 22.0+, they > have said they won't introduce backwards incompatible changes anymore so > getting past 22.0 would mean we could just rely on using the latest at all > times. > > I'm not sure the cost of upgrading our dependencies to be compatible with > 22.0+ though. > > On Mon, Oct 15, 2018 at 11:11 AM Andrew Pilloud <apill...@google.com> > wrote: > >> We vendor a known vulnerable version of Guava. The specific vulnerability >> is low to no impact on Beam but it does potentially affect any server that >> uses Java serialization with Beam on the classpath. Do we have a reason for >> still being on Guava 20.0? >> >> https://github.com/google/guava/wiki/CVE-2018-10237 >> >> Andrew >> >